RE: sbs 2003 Critical Errors in Security Log? hack attempts?

Dear Customer,

Thank you for posting back!

I understand that you encounter Event ID 531 on your SBS Server. Based on
my research, Event ID 531 can be caused by various factors. I strongly
suggest that you perform my suggestions in my last reply and see how it
goes.

If the issue persists, please help me to gather following information:

a. Is there any user facing any problem while logging on?
b. Is there any user getting locked out?
c. When did the issue occur? Did you make any changes on your SBS Server or
Network, recently?
d. Does your SBS Server work OK now? Can your clients access the Internet,
send/receive emails, etc?

For your reference:

299475 Windows 2000 Security Event Descriptions (Part 1 of 2)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;299475

Please take your time to perform the steps. If you have any further
updates, please feel free to let me know. I am looking forward to hearing
from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
Thread-Topic: sbs 2003 Critical Errors in Security Log? hack attempts?
thread-index: AcY2Y8cuD1aoe/tjQB+xitW2+mhOCg==
X-WBNR-Posting-Host: 70.37.80.220
From: "=?Utf-8?B?enhlZA==?=" <zxed@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <7FD4235A-7C49-46EF-829E-4921713C159F@xxxxxxxxxxxxx>
<DOjSe6eNGHA.768@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: sbs 2003 Critical Errors in Security Log? hack attempts?
Date: Mon, 20 Feb 2006 13:22:39 -0800
Lines: 191
Message-ID: <A614007F-040B-4E25-9D51-96EC76246EF2@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:245943
X-Tomcat-NG: microsoft.public.windows.server.sbs

here is a sample from the sec log that was mailed to me
event id is 531
Logon Failure:
Reason: Account currently disabled
User Name: GUEST
Domain: WORKGROUP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LOCALHOST
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 208.51.26.136
Source Port: 0

i also see logon attempts from SERVERNAME$

is that normal?


.

Relevant Pages

  • Re: logon to OWA with smtp adress as username
    ... Microsoft CSS Online Newsgroup Support ... you may want to contact Microsoft CSS directly. ... I understand that you want user logon the OWA site ...
    (microsoft.public.windows.server.sbs)
  • RE: Logging for Remote Web Workplace?
    ... Category: Account Logon ... However, even the user is logging on domain, the client will not ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
    (microsoft.public.windows.server.sbs)
  • RE: No password expiration message/Cant change password
    ... Exchange Archivesink to collect copies of all email; ... > After you change password through windows logon pages, ... > This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
    (microsoft.public.windows.server.sbs)
  • RE: No password expiration message/Cant change password
    ... Also you mean this issue only occurs on outlook 2003, ... After you change password through windows logon pages, ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
    (microsoft.public.windows.server.sbs)
  • RE: Getting 531 error for own workstation
    ... Logon Process: Authz ... Caller User Name: WS1$ ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
Loading